Global Protect some questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect some questions

L2 Linker

Hi

 

I have PA-3050 Cluster and will configure SSL-VPN for remote users "without licenses installed", so I have a couple of questions on Global Protect;

 

1- How many users can connect through SSL-VPN on this device?

 

2- Can we connect SSL-VPN over mobile phones using the same configuration required for remote users (gateways and portal), or there is special settings for mobiles?

 

3- Can we distribute the agent manually or automatically to clients (rather than connecting to portal)?

 

4- Now and per to my understanding, once global protect configured the HTTPS access to PA external IP will be used for global-protect, so how can we access firewall remotely through HTTPS after global protect configuration?

 

Thanks

 

Myasin 

2 accepted solutions

Accepted Solutions

Community Team Member

Hi @myasin,

 

Please check the comparison page to verify how many tunnels your specific model can handle :

 

https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3050

 

There are several ways to deploy the software in your network (directly from the portal, from a web server, transparently from the command line, using group policy rules).  Check out the following link for more details :

 

https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the...

 

I strongly advise not to manage your firewall through the external IP but you can access as explained here :

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Access-the-WebGUI-when-GlobalProtect...

 

Cheers,

-Kiwi.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

Cyber Elite
Cyber Elite

@myasin,

1- The 3050 supports up to 2,000 SSL-VPN users on one PA-3050.

2- You would be able to if you were licensed, non-licensed units can not connect mobile phones or tablets via the GlobalProtect client.

3- You can distribute the GlobalProtect application however you like, very similar to AnyConnect in that regard.

4- How do you currently manage your firewall, hopefully not by connecting to the public IP address? Regardless with the right configuration even that would work, but usually you would configure mangement access on one of the interfaces interal to your network, or preforably on the management port. As long as you have allowed access via your GlobalProtect IP range you can access the firewall management while connected to GlobalProtect. From a security aspect I would highly recommend you review the policies however so that only those of you that rightfully need access to the management features can even get to the login page.  

View solution in original post

4 REPLIES 4

Community Team Member

Hi @myasin,

 

Please check the comparison page to verify how many tunnels your specific model can handle :

 

https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3050

 

There are several ways to deploy the software in your network (directly from the portal, from a web server, transparently from the command line, using group policy rules).  Check out the following link for more details :

 

https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the...

 

I strongly advise not to manage your firewall through the external IP but you can access as explained here :

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Access-the-WebGUI-when-GlobalProtect...

 

Cheers,

-Kiwi.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

@myasin,

1- The 3050 supports up to 2,000 SSL-VPN users on one PA-3050.

2- You would be able to if you were licensed, non-licensed units can not connect mobile phones or tablets via the GlobalProtect client.

3- You can distribute the GlobalProtect application however you like, very similar to AnyConnect in that regard.

4- How do you currently manage your firewall, hopefully not by connecting to the public IP address? Regardless with the right configuration even that would work, but usually you would configure mangement access on one of the interfaces interal to your network, or preforably on the management port. As long as you have allowed access via your GlobalProtect IP range you can access the firewall management while connected to GlobalProtect. From a security aspect I would highly recommend you review the policies however so that only those of you that rightfully need access to the management features can even get to the login page.  

Thank you both for your reply...

 

2- You would be able to if you were licensed, non-licensed units can not connect mobile phones or tablets via the GlobalProtect client.

(what type of license I need to use global protect over mobiles?

 And if I got the license, is there a need for special configuration for mobiles?)

 

3- You can distribute the GlobalProtect application however you like, very similar to AnyConnect in that regard.

(How I can get .exe and .msi copy of global-protect from portal?)

 

Thanks

 

Myasin

Community Team Member

Hi,

 

You can download the msi or pkg once you log into the portal using a web-browser.

 

Note that the portal does not distrubite the GlobalProtect app for use on mobile devices.  To get the app, end users must download it from the app hosting site for the device (App Store, Google Play, Chrome Web Store).

 

You can follow this guide to configure GlobalProtect on your firewall :

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/5835...

 

As for licenses I recommend that you reach out to your local sales contact.

As per this DOC you'll be needing the Gateway Subscription :

 

https://www.paloaltonetworks.com/documentation/61/globalprotect/globalprotect-admin-guide/globalprot...

 

Cheers !

-Kiwi.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 2 accepted solutions
  • 2693 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!